Logstash Filter Issue with Apache2

harshanarayana · June 9, 2016, 6:15am

Hi All,

I've recently started using the Log handler Trio of Logstash + ELK + Kibana to work analyze through my apache logs during my daily work activities. However, I'm facing some issues with Grok when it comes to filtering the log messages and parsing them for ELK. Can someone please guide me in the right direction as to what is wrong ?

input {
    file {
      path  =>  "/var/log/apache2/error.log"
      type  =>  "apacheerror"
    }
    file {
      path  =>  ["/var/log/apache2/access_log.http", "/var/log/apache2/access_log.https"]
      type  =>  "apacheaccess"
    }
    file {
      path  =>  "/var/log/messages"
      type  =>  "syslog"
    }
    file {
      path  =>  ["/var/log/mysql.log", "/var/log/mysql.err"]
      type  =>  "MySQL"
    }
    file {
      path => "/var/log/apache2/*.ls_json"
      tags => "apache_json"
      codec => "json"
    }
  }

  filter {
    if [type] == "syslog" {
      grok {
        match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{host}" ]
      }
      syslog_pri { }
      date {
        match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      }
    }
    if [type] == "apacheerror" {
     grok {
       match => { "message" => "^\s{0,}\[(?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})\]\s+(\[%{WORD:loglevel}\]\s+)?%{GREEDYDATA:message}" }
       add_field => [ "apache_received_at", "%{@timestamp}" ]
       add_field => [ "apache_received_from", "%{host}" ]
     }
    }
  }


  output {
    elasticsearch { host => localhost }
  }

Above is my Logstash Configuration file.

And the below is a set of sample logs from my error.log file in Apache.

  [Thu Jun 09 06:02:02 2016] [error] Exception KeyError: KeyError(140605482088256,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:02:03 2016] [error] Exception KeyError: KeyError(140605482088256,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:02:03 2016] [notice] caught SIGTERM, shutting down
  [Thu Jun 09 06:02:04 2016] [notice] Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k mod_wsgi/2.8 Python/2.6.5 configured -- resuming normal operations
  [Thu Jun 09 06:06:39 2016] [error] [client 000.000.000.000] This is it at /usr/local/DOCS/xyz/abcd.cgi line 56, 
  [Thu Jun 09 06:06:56 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:06:57 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:06:58 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:06:59 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:07:00 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:07:01 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:07:02 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:07:03 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:07:04 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored
  [Thu Jun 09 06:07:05 2016] [error] Exception KeyError: KeyError(139653229332288,) in <module 'threading' from '/usr/lib/python2.6/threading.pyc'> ignored

These apache log messages show as a complete string when I filter only for 'message' from my Kibana. However, the Syslog Component works fine.

magnusbaeck · June 9, 2016, 7:10am

I can't find anything obviously wrong with your grok expression. Start with the simplest possible expression, ^\s{0,}\[(?<timestamp>%{DAY} and make sure that works. Then add tokens until it breaks. Are your Apache error log events tagged with _grokparsefailure?

I strongly recommend that you use a stdout { codec => rubydebug } output while debugging.

harshanarayana · June 9, 2016, 8:33am

Thanks for your quick response.

I think i might have figured out the reason behind the mess I was facing.

   match => { "message" => "^\s{0,}\[(?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})\]\s+(\[%{WORD:loglevel}\]\s+)?%{GREEDYDATA:message}" }

The {GREEDYDATA:message} that was in my Pattern Match gets overpowered by the message causing the fetched RegEx pattern to be over-written by the actual line itself.

I changed {GREEDYDATA:message} to {GREEDYDATA:apache_message} and that seems to have resolved my problem.

harshanarayana · June 9, 2016, 8:52am

Just so if someone want's to re-use this, following is the RegEx that worked perfectly for me.

^\s{0,}\[(?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})\]\s+(\[%{WORD:loglevel}\]\s+)?(\[client.*\])?%{GREEDYDATA:apache_message}(, referer\:.+)

May the Force be with you.

Topic		Replies	Views
Apache grok filter not working the way I expect it to. Should I be using a different approach? Logstash	5	436	April 23, 2018
Logstash filter not working as expected Logstash	13	3545	June 8, 2017
Syslog + Apache log => _Grokparsefailure Logstash	7	1749	July 12, 2017
Filter Multiple Patterns Logstash	4	1009	September 22, 2017
Sample apache filter doesnt works 7.1.x Logstash	7	713	July 23, 2019

Logstash Filter Issue with Apache2

Related topics